/* raspi.dev */

How to Configure UFW Firewall on Raspberry Pi: A Complete Guide

Tom
Tom
#ufw#firewall#security#networking#pi#setup

How to Configure UFW Firewall on Raspberry Pi: A Complete Guide

A firewall is one of the most fundamental security tools you can set up on your Raspberry Pi. UFW (Uncomplicated Firewall) is a user-friendly frontend for iptables that makes it easy to manage firewall rules without dealing with complex syntax. This guide walks you through installing, configuring, and managing UFW on your Raspberry Pi.

What is UFW?

UFW stands for Uncomplicated Firewall. It provides a simplified interface to the powerful Linux iptables firewall. With UFW you can:

  • Allow or deny incoming and outgoing traffic on specific ports
  • Restrict access to services from specific IP addresses or subnets
  • Set default policies for all traffic
  • Manage rules with simple, readable commands

Prerequisites

  • A Raspberry Pi running Raspberry Pi OS
  • SSH or direct terminal access to your Pi
  • sudo privileges

Installing UFW

UFW may already be installed on your system. If not, install it with:

Bash
sudo apt update
sudo apt install ufw -y

Check the current status:

Bash
sudo ufw status

It should report Status: inactive if this is a fresh install.

Critical Warning About SSH

Before enabling UFW, you must allow SSH access first. If you enable the firewall without an SSH rule and you are connected remotely, you will be immediately locked out of your Pi. Always run this command before enabling:

Bash
sudo ufw allow ssh

This allows traffic on port 22, which is the default SSH port.

Setting Default Policies

The best practice is to deny all incoming traffic by default and allow all outgoing traffic. This means nothing can connect to your Pi unless you explicitly permit it, while your Pi can still reach the internet:

Bash
sudo ufw default deny incoming
sudo ufw default allow outgoing

Enabling UFW

With SSH allowed and defaults set, enable the firewall:

Bash
sudo ufw enable

You will see a warning that existing SSH connections may be disrupted. Since you already added the SSH rule, type y to confirm. UFW is now active and will start automatically on boot.

Allowing Specific Ports

Allow common service ports as needed:

Bash
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

You can also allow both TCP and UDP on a port by omitting the protocol:

Bash
sudo ufw allow 53

This is useful for DNS services like Pi-hole that need both TCP and UDP on port 53.

Allowing Port Ranges

If a service uses a range of ports, you can allow the entire range:

Bash
sudo ufw allow 6000:6007/tcp

This allows TCP traffic on ports 6000 through 6007. You must specify the protocol (tcp or udp) when using port ranges.

Allowing by Service Name

UFW knows about common services defined in /etc/services. You can use service names instead of port numbers:

Bash
sudo ufw allow http
sudo ufw allow https

To see all available service names:

Bash
less /etc/services

Restricting Access by IP Address

You can allow connections only from specific IP addresses. This is useful for limiting SSH access to your local network:

Bash
sudo ufw allow from 192.168.1.0/24 to any port 22

This allows SSH connections only from devices on the 192.168.1.x subnet. You can also allow a single IP:

Bash
sudo ufw allow from 192.168.1.50 to any port 3000

This lets only 192.168.1.50 access port 3000, which is useful for restricting admin panels like Grafana.

Denying Specific Traffic

To explicitly block traffic from a specific IP:

Bash
sudo ufw deny from 203.0.113.50

Or deny a specific port:

Bash
sudo ufw deny 8080/tcp

Viewing Firewall Status

Check the current rules and status:

Bash
sudo ufw status verbose

For a numbered list of rules (useful for deleting):

Bash
sudo ufw status numbered

Deleting Rules

To delete a rule, first list rules with numbers:

Bash
sudo ufw status numbered

Then delete by number:

Bash
sudo ufw delete 3

You can also delete by specifying the rule itself:

Bash
sudo ufw delete allow 8080/tcp

Resetting UFW

If you need to start over, reset UFW to its default state:

Bash
sudo ufw reset

This removes all rules and disables the firewall. You will need to reconfigure everything from scratch, so use this cautiously.

Common Port Reference

Here is a quick reference for ports you may want to allow on a Raspberry Pi homelab:

| Port | Service | |------|---------| | 22 | SSH | | 53 | DNS (Pi-hole) | | 80 | HTTP | | 443 | HTTPS | | 3000 | Grafana | | 3001 | Uptime Kuma | | 8080 | Various web apps | | 9000 | Portainer | | 9090 | Prometheus |

Troubleshooting

  • Locked out of SSH: Connect a monitor and keyboard directly to your Pi. Log in locally and run sudo ufw allow ssh followed by sudo ufw enable.
  • UFW not starting on boot: Run sudo systemctl enable ufw to ensure it starts automatically.
  • Rules not taking effect: Make sure UFW is active with sudo ufw status. If you just added a rule, it takes effect immediately without needing a restart.
  • Docker bypasses UFW: Docker modifies iptables directly, which can bypass UFW rules. If you need UFW to manage Docker traffic, add DOCKER_OPTS="--iptables=false" to /etc/default/docker and manage port exposure through UFW manually.
  • Cannot access a service you just deployed: Check if the port is allowed with sudo ufw status. If not, add it with sudo ufw allow <port>/tcp.

Conclusion

UFW provides a straightforward way to manage firewall rules on your Raspberry Pi without wrestling with iptables syntax. By setting sensible defaults, allowing only the ports you need, and restricting access by IP where possible, you significantly reduce your Pi's exposure to unauthorized access. Combined with tools like fail2ban, UFW forms a critical layer of your homelab security.